William Roberts | 80ea1d2 | 2012-05-31 09:44:51 -0400 | [diff] [blame] | 1 | type sdcardd, domain; |
Nick Kralevich | 623975f | 2014-01-11 01:31:03 -0800 | [diff] [blame] | 2 | permissive_or_unconfined(sdcardd) |
William Roberts | 80ea1d2 | 2012-05-31 09:44:51 -0400 | [diff] [blame] | 3 | type sdcardd_exec, exec_type, file_type; |
| 4 | |
| 5 | init_daemon_domain(sdcardd) |
Stephen Smalley | 15abc95 | 2013-10-29 14:42:39 -0400 | [diff] [blame] | 6 | |
| 7 | allow sdcardd cgroup:dir create_dir_perms; |
| 8 | allow sdcardd fuse_device:chr_file rw_file_perms; |
| 9 | allow sdcardd rootfs:dir mounton; |
| 10 | allow sdcardd sdcard_type:filesystem mount; |
| 11 | allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource }; |
Stephen Smalley | e13fabd | 2013-12-17 14:39:35 -0500 | [diff] [blame] | 12 | |
| 13 | type_transition sdcardd system_data_file:{ dir file } media_rw_data_file; |
| 14 | allow sdcardd media_rw_data_file:dir create_dir_perms; |
| 15 | allow sdcardd media_rw_data_file:file create_file_perms; |
Stephen Smalley | 15abc95 | 2013-10-29 14:42:39 -0400 | [diff] [blame] | 16 | |
| 17 | # Read /data/system/packages.list. |
| 18 | allow sdcardd system_data_file:file r_file_perms; |
| 19 | |
| 20 | # Compatibility for existing devices with /data/media in system_data_file. |
| 21 | # TODO: Remove these lines after we have guaranteed that /data/media has been relabeled to media_rw_data_file. |
| 22 | allow sdcardd system_data_file:dir create_dir_perms; |
| 23 | allow sdcardd system_data_file:file create_file_perms; |